Merge pull request #5594 from LibreSign/backport/5587/stable31

[stable31] feat: implement serial number with random number

Author: vitormattos

lib/Handler/CertificateEngine/OpenSslHandler.php

@@ -47,7 +47,10 @@ public function generateRootCert(
 
 		$csr = openssl_csr_new($this->getCsrNames(), $privateKey, ['digest_alg' => 'sha256']);
 		$options = $this->getRootCertOptions();
-		$x509 = openssl_csr_sign($csr, null, $privateKey, $days = 365 * 5, $options);
+
+		$serialNumber = random_int(1000000, 2147483647);
+
+		$x509 = openssl_csr_sign($csr, null, $privateKey, $days = 365 * 5, $options, $serialNumber);
 
 		openssl_csr_export($csr, $csrout);
 		openssl_x509_export($x509, $certout);
@@ -92,12 +95,13 @@ public function generateCertificate(): string {
 			throw new LibresignException('OpenSSL error: ' . $message);
 		}
 
+		$serialNumber = random_int(1000000, 2147483647);
+
 		$x509 = openssl_csr_sign($csr, $rootCertificate, $rootPrivateKey, $this->expirity(), [
 			'config' => $this->getFilenameToLeafCert(),
-			// This will set "basicConstraints" to CA:FALSE, the default is CA:TRUE
-			// The signer certificate is not a Certificate Authority
 			'x509_extensions' => 'v3_req',
-		]);
+		], $serialNumber);
+
 		return parent::exportToPkcs12(
 			$x509,
 			$privateKey,

lib/ResponseDefinitions.php

@@ -68,6 +68,8 @@
  *     subject: string,
  *     issuer: string,
  *     extensions: string,
+ *     serialNumber: string,
+ *     serialNumberHex: string,
  *     validate: array{
  *         from: string,
  *         to: string,

openapi-full.json

@@ -106,6 +106,8 @@
                     "subject",
                     "issuer",
                     "extensions",
+                    "serialNumber",
+                    "serialNumberHex",
                     "validate"
                 ],
                 "properties": {
@@ -121,6 +123,12 @@
                     "extensions": {
                         "type": "string"
                     },
+                    "serialNumber": {
+                        "type": "string"
+                    },
+                    "serialNumberHex": {
+                        "type": "string"
+                    },
                     "validate": {
                         "type": "object",
                         "required": [

openapi.json

@@ -106,6 +106,8 @@
                     "subject",
                     "issuer",
                     "extensions",
+                    "serialNumber",
+                    "serialNumberHex",
                     "validate"
                 ],
                 "properties": {
@@ -121,6 +123,12 @@
                     "extensions": {
                         "type": "string"
                     },
+                    "serialNumber": {
+                        "type": "string"
+                    },
+                    "serialNumberHex": {
+                        "type": "string"
+                    },
                     "validate": {
                         "type": "object",
                         "required": [

src/types/openapi/openapi-full.ts

@@ -1293,6 +1293,8 @@ export type components = {
             subject: string;
             issuer: string;
             extensions: string;
+            serialNumber: string;
+            serialNumberHex: string;
             validate: {
                 from: string;
                 to: string;

src/types/openapi/openapi.ts

@@ -980,6 +980,8 @@ export type components = {
             subject: string;
             issuer: string;
             extensions: string;
+            serialNumber: string;
+            serialNumberHex: string;
             validate: {
                 from: string;
                 to: string;

src/views/ReadCertificate/CertificateContent.vue

@@ -67,6 +67,10 @@
 					<span class="field-label">{{ t('libresign', 'Serial number') }}</span>
 					<span class="field-value">{{ certificate.serialNumber }}</span>
 				</div>
+				<div v-if="certificate.serialNumberHex" class="certificate-field">
+					<span class="field-label">{{ t('libresign', 'Serial number (hex)') }}</span>
+					<span class="field-value">{{ certificate.serialNumberHex }}</span>
+				</div>
 			</div>
 		</NcSettingsSection>
 

tests/php/Unit/Handler/CertificateEngine/OpenSslHandlerTest.php

@@ -245,4 +245,57 @@ public static function dataReadCertificate(): array {
 			],
 		];
 	}
+
+	public function testSerialNumberGeneration(): void {
+		$rootInstance = $this->getInstance();
+		$rootInstance->generateRootCert('', []);
+
+		$signerInstance = $this->getInstance();
+		$signerInstance->setCommonName('Test User');
+		$signerInstance->setPassword('123456');
+
+		$certificate = $signerInstance->generateCertificate();
+		$parsed = $signerInstance->readCertificate($certificate, '123456');
+
+		$this->assertArrayHasKey('serialNumber', $parsed, 'Certificate should have serialNumber field');
+		$this->assertArrayHasKey('serialNumberHex', $parsed, 'Certificate should have serialNumberHex field');
+		$this->assertNotNull($parsed['serialNumber'], 'Serial number should not be null');
+		$this->assertNotNull($parsed['serialNumberHex'], 'Serial number hex should not be null');
+
+		$this->assertNotEquals('0', $parsed['serialNumber'], 'Serial number should not be zero');
+		$this->assertNotEquals('00', $parsed['serialNumberHex'], 'Serial number hex should not be zero');
+
+		$serialInt = (int)$parsed['serialNumber'];
+		$this->assertGreaterThanOrEqual(1000000, $serialInt, 'Serial number should be >= 1000000');
+		$this->assertLessThanOrEqual(2147483647, $serialInt, 'Serial number should be <= 2147483647');
+
+		$this->assertIsNumeric($parsed['serialNumber'], 'Serial number should be numeric');
+		$this->assertMatchesRegularExpression('/^[0-9A-Fa-f]+$/', $parsed['serialNumberHex'], 'Serial number hex should contain only hex characters');
+	}
+
+	public function testUniqueSerialNumbers(): void {
+		$rootInstance = $this->getInstance();
+		$rootInstance->generateRootCert('', []);
+
+		$serialNumbers = [];
+		$numCertificates = 3;
+
+		for ($i = 0; $i < $numCertificates; $i++) {
+			$signerInstance = $this->getInstance();
+			$signerInstance->setCommonName("Test Certificate $i");
+			$signerInstance->setPassword('123456');
+			$certificateContent = $signerInstance->generateCertificate();
+			$parsed = $signerInstance->readCertificate($certificateContent, '123456');
+
+			$serialNumber = $parsed['serialNumber'];
+
+			$this->assertNotEquals('0', $serialNumber, "Certificate $i should not have serial number 0");
+
+			$this->assertNotContains($serialNumber, $serialNumbers, "Certificate $i should have unique serial number");
+
+			$serialNumbers[] = $serialNumber;
+		}
+
+		$this->assertCount($numCertificates, array_unique($serialNumbers), 'All serial numbers should be unique');
+	}
 }